Cisco Cyber Threat Defense Solution Overview

Hierarchical Navigation

Viewing Options

The network security threat landscape is ever evolving. But always at the cutting edge are custom-written, stealthy threats that evade traditional security perimeter defenses. These threats infiltrate the interior of the network - the core, the distribution layer, and the user access edge - where threat defenses and visibility are minimal. From there they quietly target specific assets, and even specific people, within an organization. The goal of these advanced cyber threats is not notoriety and fame, or even setting up a for-profit botnet; it’s to gather and exfiltrate intellectual property or state/trade secrets for competitive advantage in industry, economy, and sociopolitical ends.

This document explains:

●What’s at stake and key challenges in gaining visibility to customized threats

Well-understood and known security threats are effectively combated by a well-designed and mature security infrastructure that includes components like intrusion prevention, antivirus, content security, and firewall. But custom-written threats designed for specific targets with specific intent represent a tougher challenge. Customized threats are designed based on specific knowledge of a target, often based on reconnaissance of the network or people at the organization, or both. Once the custom threat has breached the perimeter defenses of the network, it typically spreads laterally in the interior of the network where threat defense devices are not generally pervasively deployed. By remaining quiet and hidden in the noise of normal network traffic, the threats can spread under the radar among specific targets. Perimeter defenses do not have visibility into these threats. Many times these threats are actually introduced inside the perimeter via social engineering, spear phishing, or external media like USB drives. And while prevention is important, even the most diligent patching will not completely guard against these threats.

The risk and damage caused by advanced cyber threats varies by source. Victims of these types of security breaches are not motivated to disclose their impacts, but primary research into advanced cyber threats indicates that this is a quickly growing problem with significant impact. Some key statistics to consider:

●63% of threats are customized for their target environment - a three-fold increase since 20061

●A five-fold increase in attacks against the U.S. government from 2006 to 20092

●59% of organizations in the United States believe that they have been targets of cyber threats3

Once these threats have penetrated the network perimeter, the only place left to identify them is where they live: the network interior. One must look for “fingerprints” of the threat by analyzing traffic patterns across the switches and routers that comprise the network interior. From this analysis, one can gain insight into patterns that are indicative of advanced cyber threat traffic. Whether it is an internal client trying to set up peer-to-peer connections with other clients on its subnet or clients communicating with unusual regions of the world, analysis of traffic patterns provides visibility into potential cyber threats.

●Identity, firewall, and application-type contextual information for discerning the nature and severity of a threat. These context points are delivered by the Cisco Identity Services Engine, ASA firewalls, and Cisco routers, respectively

Figure 2. Components of the Cisco Cyber Threat Defense Solution

With this telemetry and contextual information, a network security analyst can, from a single pane of glass, identify suspicious activity, gather pertinent user information, identify the application, and look up other relevant security context. This enables assessment of the nature and the potential danger of the suspicious activity. With this information, the analyst can decipher the correct next steps for advanced cyber threats such as:

●Network reconnaissance - The act of probing the network looking for attack vectors that can be exploited by custom-crafted cyber threats

●Network interior malware propagation - Spreading malware across hosts for the purpose of gathering security reconnaissance data, exfiltrating data, or creating back doors to the network

●Command and control traffic - Communications between the attacker and the compromised internal hosts

●Data theft - Exporting sensitive information back to the attacker, generally via command and control communications

Benefits of the Cisco Cyber Threat Defense Solution

The Cisco Cyber Threat Defense Solution focuses on the most complex and dangerous information security threats - threats that lurk in networks for months or years at a time stealing vital information and disrupting operations. Cisco provides visibility into these threats and context to decipher their potential damage.

Key benefits of the Cisco Cyber Threat Defense Solution:

●Provides threat defense in the network interior, where the most elusive and dangerous threats target

●Detects threat closer to the source to minimize damage and propagation

●Enables scalable, ubiquitous, and cost-effective security telemetry throughout the network

Full Security Telemetry from the Network Interior: Cisco Network Infrastructure

Recent advances in Cisco Catalyst switches enable the industry’s first pervasive network traffic telemetry - from the user access edge to distribution to the core of the switching network. The line-rate, non-performance-impacting NetFlow telemetry capabilities of the Cisco Catalyst 3560-X, 3750-X, 4500, and 6500 Series provide insight into traffic patterns characteristic of threats that have bypassed the security perimeter and are attempting to remain below the detection radar. Key to delivering this visibility is Cisco’s ability to generate unsampled NetFlow data in scale from these platforms.

NetFlow telemetry comes in two forms:

●Sampled - A small subset of traffic, usually less than 5%, is sampled and used to generate NetFlow telemetry data. This gives a “snapshot” view into network activity, like reading a book by skimming every 100th page

●Unsampled - All traffic is used to generate NetFlow telemetry, providing a comprehensive view into all activity on the network. Using the book analogy, this is reading every word in the book

The customized, stealthy nature of advanced cyber threats requires full visibility into network traffic patterns if they are to be detected. This can only be achieved using full, unsampled NetFlow telemetry. Only a Cisco Catalyst switch can deliver this unsampled NetFlow data at line rate without any impact to network performance.

With the Cisco network infrastructure delivering ubiquitous NetFlow telemetry, the next step is to collect and analyze that data. The Lancope StealthWatch System, available from Cisco, is purpose-built to aggregate and normalize massive amounts of NetFlow data, and then apply security analytics to detect malicious and suspicious network traffic patterns as presented through the StealthWatch Management Console.

●FlowSensor - A physical appliance that provides an overlay solution for generating NetFlow data for legacy Cisco network infrastructures not capable of producing line-rate, unsampled NetFlow data. Also for environments where IT security prefers a dedicated overlay architecture separate from the network infrastructure

●FlowSensorVE - A virtual appliance that provides the same function as the FlowSensor, but for virtual machine environments

●FlowReplicator - A physical appliance that provides a single point for forwarding NetFlow data as a single data stream to other consumption devices

Key to establishing the potential threat of suspicious traffic is contextual information regarding the user associated with that traffic. Utilizing the Cisco Identity Services Engine, Cisco’s flagship network policy engine, user identity, device profile, and posture information can be bound to NetFlow data in the StealthWatch Management Console, thus providing a unified view of suspicious traffic patterns and the user information relevant to establishing if those patterns are malicious. Using the Cisco Identity Services Engine as part of the Cyber Threat Defense Solution provides insight into:

●Are there other relevant user session events? - Access to all AAA events associated with the user

●How best to execute user-based remediation? - Comprehensive event and status visibility of the user affected by the threat needed to determine and execute the right next steps for remediation

Additionally, the application associated with the suspicious traffic is key to deciphering the nature and severity of the threat. Application information can be discerned utilizing Network-Based Application Recognition (NBAR) information collected from Cisco routers. This information is also collected and reported to the Lancope StealthWatch Management Console.

Finally, when connections pass through a NAT gateway, they can be represented and analyzed as a single flow from the traffic analysis screen within the Lancope StealthWatch Management Console, using Lancope’s NAT stitching feature. This allows the security analyst to see internal and external address information for the translated connections in its proper context, facilitating timely analysis and incident response.

Using these points of context, a security analyst can, from a single pane of glass, identify suspicious activity, gather pertinent user information, and then assess and respond to the potential danger of the suspicious activity. Utilizing the comprehensive user visibility capabilities of the Cisco Identity Services Engine, the analyst can formulate and execute remediation for affected users. The Cisco Identity Services Engine provides complete insight to the history and status of the user, policy, posture, and device, as well as quarantine or network disconnect remediation functions. Collectively, these context and remediation capabilities enable the analyst to decipher the correct next steps to take concerning the threat in a timely, efficient, and cost-effective manner.

Why Cisco?

The Cisco Cyber Threat Defense Solution delivers broad visibility into the most dangerous and stealthy network threats by providing ubiquitous threat detection within the interior of the network. By combining traffic analysis with user, application, and firewall context, Cisco delivers:

●Ubiquitous interior network visibility where little exists today

●A cost-effective approach to this ubiquitous visibility

●Full, unsampled data security telemetry via line-rate NetFlow

●Relevant contextual information for deciphering the nature and severity of the threat via the Cisco Identity Services Engine, Cisco SIO, and application recognition